Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not allowed the exam invigilators will not answer any technical question during the exam readability and style of writing will be part of the grade
1 Stealing Bitcoins We recall the ECDSA signature scheme. We are given a point G of an elliptic curve and its prime order n. A secret key is a value d Z n and the public key is the point Q = dg. To sign a message M, we pick a random k Z n and we compute r = (kg) 1 mod n, where (kg) 1 denotes the x-coordinate of kg and (kg) 1 denotes its conversion into an integer; we compute s = H(M)+dr k mod n, where H(M) is the digest of M; the signature of M is (r, s). To verify a signature (r, s) of a message M for Q, we just compare r with a function V of (G, n, Q, r, s, M). Q.1 Say what is the verification function V. 2
Q.2 Assuming that a signing algorithm is implemented using a terrible random number generator (namely, with one for which the generated number often repeats), show that given two signed messages (M, r, s) and (M, r, s ) for the public key Q, an adversary may extract the secret key d. 3
Q.3 We recall that a bitcoin transaction for an account Q is a signature of a will to collect the UTXO utxo 1,..., utxo t owned by Q and split them to some accounts Q 1,..., Q u. Assuming that a user has implemented his ECDSA signing algorithm using a terrible random number generator, show how we can steal his bitcoins. 4
2 Kleptography Alice wants to communicate securely with Bob. For that, she buys a highly secure tamperproof device from the company mole.com and uses it to communicate. Upon reset, this device generates its own RSA secret key with random primes p and q, modulus n, and exponents e and d. In this implementation, the exponent e is random and of the same size as the modulus. It outputs n and e. Then, when we input a ciphertext, it decrypts it and returns the plain message. Q.1 Suggest a modulus length for good security and describe the algorithm to generate e. Q.2 The company mole.com is hiding a trapdoor to be able to decrypt messages. For this, there is a symmetric secret key t which is put inside the device and the exponent e is chosen of form SymEnc t (p) random. Explain how mole.com can decrypt messages sent to Alice. Q.3 Some agencies from the axis of evil (in the sense of G.W. Bush) succeed to reverse engineer devices from mole.com. Show that this creates a major national security issue for the country in which these devices are sold. 5
Q.4 Using asymmetric encryption, propose a new generation of mole.com devices which allows the company to continue to decrypt messages without risking a security break in the case of reverse engineering. Q.5 In the above question, when the selected asymmetric encryption is RSA, observe that due to moduli sizes, this decreases the security of the encryption. Propose a way to fix this. 6
3 AES-GCM Issues We recall the GCM mode of AES. We modified it a bit for simplicity in this exercise: we assume no associated data, all messages have a length multiple of 128 bits, and the authentication tag has 128 bits. To encrypt a message P with an AES key K and a 96-bit nonce IV, we split it into m 128-bit blocks P = (P 1,..., P m ) and run the following algorithm (written in pseudocode). 1: J i = IV (i + 1 mod 2 32 ) 32, i = 0,..., m, where x 32 is the binary representation of x in 32 bits 2: C = (C 1,..., C m ) where C i = P i AES K (J i ) 3: H = AES K (0 128 ) (called the authentication key) 4: S = C 1 H m C m H (with multiplications in GF(2 128 )) 5: T = S AES K (J 0 ) 6: the output is (C, T ) Q.1 Give the description of decryption/authentication in pseudocode. Q.2 Assuming that a user encrypts a message with m larger than 2 32, show how an adversary can recover the XOR of some plaintext blocks from the ciphertext (C, T ). 7
Q.3 Assuming that a user encrypts two messages P and P with the same nonce IV, show how an adversary can recover a set of small cardinality which contains the authentication key H. (For simplicity, we assume that P and P have the same length.) Q.4 If the adversary knows a set of small cardinality to which H belongs, show how he can decrypt any ciphertext (C, T ) with a nonce IV by a chosen ciphertext attack. 8
4 Prime Reuse in RSA In this exercise, we consider a pool of D RSA keys with a modulus length of s bits. We recall that the probability of a uniformly distributed random number in {1,..., n} to be prime is approximately 1 ln n. Q.1 Say how to check if two different RSA moduli use a prime factor p in common and why it is a security problem. Q.2 Using truly random prime numbers, estimate the probability that there exist two RSA keys on the Internet which have a prime factor in common (or estimate the number of pairs with a common prime factor). Justify your answer precisely. 9
Q.3 By scanning public keys over the Internet, one can find about D = 11 170 883 keys of size s = 1 024. We observed that 16 717 RSA keys share a common prime factor. What can we deduce? 10
5 Subgroup Issues in the Diffie-Hellman Protocol Let g be an element of a (multiplicative) Abelian group G and let g denote the subgroup of G generated by g. Let q denote the order of g. Let n denote the order of G. We consider the Diffie-Hellman protocol in which Alice picks a secret x Z q, computes X = g x, sends X to Bob. Bob picks a secret y Z q, computes Y = g y, sends Y to Alice. Alice checks that Y g and computes K = Y x. Bob checks that X g and computes K = X y. Let B be a given bound. Given q = q s q l with q s = p α 1 1 pαr r where the p i are pairwise different small primes (i.e. p i B) and q l has no small factor except 1, we denote F B (q) = {(p 1, α 1 ),..., (p r, α r )}. We recall that we have efficient (i.e. polynomial in B+log q) partial factoring algorithms to compute F B. We also recall that if p is a small prime (i.e. p B) and g G is an element of order p α, then there is an efficient (i.e. polynomial in αb) algorithm to compute the discrete logarithm in g. More precisely, there is an algorithm L 0 such that L 0 (B, p, α, g, g x ) = x mod p α. Q.1 If g has order q and (p 1, α 1 ) F B (q), show that there is an efficient algorithm to compute x mod p α 1 1 from g x. More precisely, show that there is an algorithm L 1 such that L 1 (B, q, p 1, α 1, g, g x ) = x mod p α 1 1 for any x. Justify your answer. Q.2 If g has order q = q s q l with q s = p α 1 1 pαr r where F B (q) = {(p 1, α 1 ),..., (p r, α r )}, show that there is an efficient algorithm to compute the modulo q s part of the discrete logarithm in g. More precisely, show that there is an algorithm L such that L(B, q, g, g x ) = x mod q s for any x. Justify your answer. 11
Q.3 With the previous notation, show that if instead of picking x in Z q Alice picks x uniform in {1,..., q s 1} Z q, then a passive adversary can recover x. Q.4 We now assume that y is a static key (i.e. Bob runs many sessions of the protocol by using the same value y). We consider that after the Diffie-Hellman protocol, Bob sends the encryption of a known message m (e.g. the null message m = 0) with the key KDF(X y ). Encryption is done using a deterministic symmetric encryption. We write n = pqr where p is a small prime (i.e. p B). Show that if Bob does not verify that X g, an active adversary can recover y mod p by malciously selecting X. 12